Fortinet black logo

Handbook

Logging and reporting for small networks

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:295072
Download PDF

Logging and reporting for small networks

This section explains how to configure the FortiGate unit for logging and reporting in a small office or SOHO/SMB network. To properly configure this type of network, you will be modifying the default log settings, as well as the default FortiOS report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology. Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own network’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

Modifying the FortiGate unit’s system memory default settings

When the FortiGate unit’s default log device is its system memory, the following is modified for a small network topology. The following is an example of how to modify these default settings.

To modify the default system memory settings
  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

    config log memory setting

    set status enable

    end

  3. The following example command syntax modifies which FortiGate features that are enabled for logging:

    config log memory filter

    set forward-traffic enable

    set local-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip disable

    set multicast-traffic enable

    set dns enable

    end

Modifying the FortiGate unit’s hard disk default settings

When the FortiGate unit’s default log device is its hard disk, you need to modify those settings to your network’s logging needs so that you can effectively log what you want logged. The following is an example of how to modify these default settings.

To modify the default hard disk settings
  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

    config log disk setting

    set ips-archive disable

    set status enable

    set max-log-file-size 1000

    set storage FLASH

    set log-quota 100

    set report-quota 100

    end

  3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

    config log eventfilter

    set event enable

    set system enable

    set vpn disable

    set user enable

    set router disable

    set wan-opt disable

    end

Testing sending logs to the log device

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device
  1. In the CLI, enter the following command syntax: diag log test
  2. When you enter the command, the following appears:

    generating a system event message with level - warning

    generating an infected virus message with level - warning

    generating a blocked virus message with level - warning

    generating a URL block message with level - warning

    generating a DLP message with level - warning

    generating an IPS log message

    generating an anomaly log message

    generating an application control IM message with level - information

    generating an IPv6 application control IM message with level - information

    generating deep application control logs with level - information

    generating an antispam message with level - notification

    generating an allowed traffic message with level - notice

    generating a multicast traffic message with level - notice

    generating a ipv6 traffic message with level - notice

    generating a wanopt traffic log message with level - notification

    generating a HA event message with level - warning

    generating netscan log messages with level - notice

    generating a VOIP event message with level - information

    generating a DNS event message with level - information

    generating authentication event messages

    generating a Forticlient message with level - information

    generating a URL block message with level - warning

  3. In the GUI, go to Log & Report > System Events, and view the logs to see some of the recently generated test log messages. You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

A backup solution provides a way to ensure logs are not lost. The following backup solution explains logging to a FortiCloud server and uploading logs to a FortiAnalyzer unit. With this backup solution, there can be three simultaneous storage locations for logs, the first being the FortiGate unit itself, the FortiAnalyzer unit and then the FortiCloud server.

Configuring logging to a FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the GUI when configuring uploading of logs. The upload time and interval settings can be configured in the GUI.

To configure logging to the FortiCloud server
  1. Go to Dashboard and click Login next to FortiCloud in the License Information widget.
  2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)
  3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.
  4. To configure the upload time and interval, go to Log & Report > Log Settings.
  5. Under the Logging and Archiving header, you can select your desired upload time.

With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Configuring uploading logs to the FortiAnalyzer unit

The logs will be uploaded to the FortiAnalyzer unit at a scheduled time. The following is an example of how to upload logs to a FortiAnalyzer unit.

To upload logs to a FortiAnalyzer unit
  1. Go to Log & Report > Log Settings.
  2. In the Remote Logging and Archiving section, select the check box beside Send Logs to FortiAnalyzer/FortiManager.
  3. Select FortiAnalyzer (Daily at 00:00).
  4. Enter the FortiAnalyzer unit’s IP address in the IP Address field.
  5. To configure the daily upload time, open the CLI.
  6. Enter the following to configure when the upload occurs, and the time when the unit uploads the logs:

    config log fortianalyzer setting

    set upload-interval {daily | weekly | monthly}

    set upload-time <hh:mm>

    end

  7. To change the upload time, in the GUI, select Change beside the upload time period, and then make the changes in the Upload Schedule window. Select OK.

Testing uploading logs to a FortiAnalyzer unit

You should test that the FortiGate unit can upload logs to the FortiAnalyzer unit, so that the settings are configured properly.

To test the FortiAnalyzer upload settings
  1. Go to Log & Report > Log Settings.
  2. In the Logging and Archiving section, under Send Logs to FortiAnalyzer/FortiManager, change the time to the current time by selecting Change. For example, the current time is 11:10 am, so Change now has the time 11:10.
  3. Select OK.

The logs will be immediately sent to the FortiAnalyzer unit, and will be available to view from within the FortiAnalyzer’s interface.

Logging and reporting for small networks

This section explains how to configure the FortiGate unit for logging and reporting in a small office or SOHO/SMB network. To properly configure this type of network, you will be modifying the default log settings, as well as the default FortiOS report.

The following procedures are examples and can be used to help you when configuring your own network’s log topology. Since some of these settings must be modified or enabled or disabled in the CLI, it is recommended to review the FortiGate CLI Reference for any additional information about the commands used herein, as well as any that you would need to use in your own network’s log topology.

Modifying default log device settings

The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with a flash disk are not recommended for disk logging.

Modifying the FortiGate unit’s system memory default settings

When the FortiGate unit’s default log device is its system memory, the following is modified for a small network topology. The following is an example of how to modify these default settings.

To modify the default system memory settings
  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

    config log memory setting

    set status enable

    end

  3. The following example command syntax modifies which FortiGate features that are enabled for logging:

    config log memory filter

    set forward-traffic enable

    set local-traffic enable

    set sniffer-traffic enable

    set anomaly enable

    set voip disable

    set multicast-traffic enable

    set dns enable

    end

Modifying the FortiGate unit’s hard disk default settings

When the FortiGate unit’s default log device is its hard disk, you need to modify those settings to your network’s logging needs so that you can effectively log what you want logged. The following is an example of how to modify these default settings.

To modify the default hard disk settings
  1. Log in to the CLI.
  2. Enter the following command syntax to modify the logging settings:

    config log disk setting

    set ips-archive disable

    set status enable

    set max-log-file-size 1000

    set storage FLASH

    set log-quota 100

    set report-quota 100

    end

  3. In the CLI, enter the following to disable certain event log messages that you do not want logged:

    config log eventfilter

    set event enable

    set system enable

    set vpn disable

    set user enable

    set router disable

    set wan-opt disable

    end

Testing sending logs to the log device

After modifying both the settings and the FortiGate features for logging, you can test that the modified settings are working properly. This test is done in the CLI.

To test sending logs to the log device
  1. In the CLI, enter the following command syntax: diag log test
  2. When you enter the command, the following appears:

    generating a system event message with level - warning

    generating an infected virus message with level - warning

    generating a blocked virus message with level - warning

    generating a URL block message with level - warning

    generating a DLP message with level - warning

    generating an IPS log message

    generating an anomaly log message

    generating an application control IM message with level - information

    generating an IPv6 application control IM message with level - information

    generating deep application control logs with level - information

    generating an antispam message with level - notification

    generating an allowed traffic message with level - notice

    generating a multicast traffic message with level - notice

    generating a ipv6 traffic message with level - notice

    generating a wanopt traffic log message with level - notification

    generating a HA event message with level - warning

    generating netscan log messages with level - notice

    generating a VOIP event message with level - information

    generating a DNS event message with level - information

    generating authentication event messages

    generating a Forticlient message with level - information

    generating a URL block message with level - warning

  3. In the GUI, go to Log & Report > System Events, and view the logs to see some of the recently generated test log messages. You will be able to tell the test log messages from real log messages because they do not have “real” information; for example, the test log messages for the vulnerability scan contain the destination IP address of 1.1.1.1 or 2.2.2.2.

Configuring the backup solution

A backup solution provides a way to ensure logs are not lost. The following backup solution explains logging to a FortiCloud server and uploading logs to a FortiAnalyzer unit. With this backup solution, there can be three simultaneous storage locations for logs, the first being the FortiGate unit itself, the FortiAnalyzer unit and then the FortiCloud server.

Configuring logging to a FortiCloud server

The FortiCloud server can be used as a redundant backup, or your primary logging solution. The following assumes that this service has already been registered, and a subscription has been purchased for expanded space. The following is an example of how to these settings are configured for a network’s log configuration. You need to have access to both the CLI and the GUI when configuring uploading of logs. The upload time and interval settings can be configured in the GUI.

To configure logging to the FortiCloud server
  1. Go to Dashboard and click Login next to FortiCloud in the License Information widget.
  2. Enter your username and password, and click OK. (Or register, if you have not yet done so.)
  3. Logs will automatically be uploaded to FortiCloud as long as your FortiGate is linked to your FortiCloud account.
  4. To configure the upload time and interval, go to Log & Report > Log Settings.
  5. Under the Logging and Archiving header, you can select your desired upload time.

With FortiCloud you can easily store and access FortiGate logs that can give you valuable insight into the health and security of your network.

Configuring uploading logs to the FortiAnalyzer unit

The logs will be uploaded to the FortiAnalyzer unit at a scheduled time. The following is an example of how to upload logs to a FortiAnalyzer unit.

To upload logs to a FortiAnalyzer unit
  1. Go to Log & Report > Log Settings.
  2. In the Remote Logging and Archiving section, select the check box beside Send Logs to FortiAnalyzer/FortiManager.
  3. Select FortiAnalyzer (Daily at 00:00).
  4. Enter the FortiAnalyzer unit’s IP address in the IP Address field.
  5. To configure the daily upload time, open the CLI.
  6. Enter the following to configure when the upload occurs, and the time when the unit uploads the logs:

    config log fortianalyzer setting

    set upload-interval {daily | weekly | monthly}

    set upload-time <hh:mm>

    end

  7. To change the upload time, in the GUI, select Change beside the upload time period, and then make the changes in the Upload Schedule window. Select OK.

Testing uploading logs to a FortiAnalyzer unit

You should test that the FortiGate unit can upload logs to the FortiAnalyzer unit, so that the settings are configured properly.

To test the FortiAnalyzer upload settings
  1. Go to Log & Report > Log Settings.
  2. In the Logging and Archiving section, under Send Logs to FortiAnalyzer/FortiManager, change the time to the current time by selecting Change. For example, the current time is 11:10 am, so Change now has the time 11:10.
  3. Select OK.

The logs will be immediately sent to the FortiAnalyzer unit, and will be available to view from within the FortiAnalyzer’s interface.